Skip to main content

Single Sign-On (SSO)

Single sign-on lets users authenticate once with a central identity provider to access many applications securely.

Single sign-on (SSO) lets a user authenticate once with a central identity provider and then access many applications without logging in again. It improves both user experience and security by centralizing authentication.

How It Works

In SSO, applications (service providers) delegate authentication to a trusted identity provider (IdP). When a user visits an application, they are redirected to the IdP. If they are not already authenticated, they log in; if they have an existing session, the IdP confirms their identity immediately. The IdP then returns a signed assertion or token that the application trusts.

Two protocols dominate. SAML uses signed XML assertions and is common in enterprise and legacy applications. OpenID Connect, built on OAuth 2.0, uses signed JSON web tokens and is preferred for modern web and mobile apps. In both cases, the application never sees the user's password.

Because authentication is centralized, controls such as multi-factor authentication, conditional access, and account disablement are enforced in one place.

Why It Matters

SSO reduces password fatigue: users manage one strong credential instead of dozens. This lowers risky behaviors like password reuse and writing passwords down. For organizations, centralized control means faster onboarding and instant offboarding by disabling one account.

Security is concentrated, which is both a strength and a risk. Strong protection of the IdP, including MFA, is essential, because compromising the IdP can expose every connected application.

SSO is a foundation of modern identity and a natural fit for zero-trust strategies.

Related Terms

Single sign-on is implemented with OpenID Connect or SAML, often issuing JSON web tokens, and is reinforced by multi-factor authentication.